6. Hashes and Other Basic Information
Basic info about the sample can be seen by pressing i at the main menu. For shellcode samples, the selected entry point will be displayed along with several types of hashes for the sample. For PE files, information about each section will be displayed as well as hashes for the sample itself. Information for each section includes:
- Entry point
- Virtual address
- Image base
- Virtual size
- Raw data size
- Actual size
- Enabled mitigations
- Hashes for the section
All of the above information is also provided in text file format and also as part of a JSON file.
Strings are often useful when quickly categorizing a sample – for example, if the sample contains a URL string to a suspicious .exe download, it can easily be flagged as likely malicious. The k option brings up the “Find Strings” menu, allowing the user to select which types of strings to search for.
ASCII strings are “normal” string data, while wide char strings refer to Unicode strings, which contain an additional byte for each character. Push stack strings are strings which are included with PUSH instructions that will be put onto the stack, likely as parameters for a WinAPI call. Push stack strings are widely used in shellcode as well as malware. We are not aware of another tool that finds these types of Push stack strings (FLOSS does not seem to).
By default, if a user obtains disassembly, emulates the shellcode, or selects the z option from the main menu (to do everything with config settings), then the strings will all be found by default. The only reason to visit this submenu would perhaps be if someone wanted to only look at strings or to change settings, such as increasing number of characters in a string.
The string setting is a little unique in that it will find strings even if there is not a NULL byte, though for ASCII, it finds it for both (saved only once). This can be useful for some more duplicitous forms of strings.
All strings functions are custom written and not reliant upon other strings utilities